nova secgroup-list-rules shows empty table

Bug #1463372 reported by Alex Stafeyev
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Medium
Unassigned

Bug Description

We see no secgroups rules with nova command-
We should see the existing rules even with nova command, Specially if we see the rules in GUI via COMPUTE tab.

1. see security groups with

neutron security-group-rule-list

2. see security groups with nova command

nova secgroup-list-rules GROUPID

nova secgroup-list-rules 54db0a3c-fc5d-4faf-8b1a
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| | | | | default |
| | | | | default |
+-------------+-----------+---------+----------+---------------+

neutron security-group-rule-list
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+
| id | security_group | direction | ethertype | protocol/port | remote |
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+
| 0e1cdfae-38d6-4d58-b624-011c2c05e165 | default | ingress | IPv6 | any | default (group) |
| 13c64385-ac4c-4321-bd3f-ec3e0ca939e1 | default | ingress | IPv4 | any | default (group) |
| 261ae2ec-686c-4e53-9578-1f55d92e280d | default | egress | IPv4 | any | any |
| 41071f04-db2c-4e36-b5f0-8da2331e0382 | sec_group | egress | IPv4 | icmp | any |
| 45639c5d-cf4d-4231-a462-b180b9e52eaf | default | egress | IPv6 | any | any |
| 5bab336e-410f-4323-865a-eeafee3fc3eb | sec_group | ingress | IPv4 | icmp | any |
| 5e0cb33f-0a3c-41f8-8562-a549163d655e | sec_group | egress | IPv6 | any | any |
| 67409c83-3b62-4ba5-9e0d-93b23a81722a | default | egress | IPv4 | any | any |
| 82676e25-f37c-4c57-9f7e-ffbe481501b5 | sec_group | egress | IPv4 | any | any |
| 89c232f4-ec90-46ba-989f-87d7348a9ea9 | default | ingress | IPv4 | any | default (group) |
| ad50904e-3cd4-43e2-9ab4-c7cb5277cc4d | sec_group | egress | IPv4 | 1-65535/tcp | any |
| c3386b79-06a8-4609-8db7-2924e092e5e9 | default | egress | IPv6 | any | any |
| c37fe4d0-01b4-40f9-a069-15c8f3edffe4 | default | egress | IPv6 | any | any |
| c51371f1-d3ae-4223-a044-f7b9b2eeb8a1 | sec_group | ingress | IPv4 | 1-65535/udp | any |
| d3d6c1b3-bde5-45ce-a950-5bfd0fc7fc5c | default | ingress | IPv6 | any | default (group) |
| d4888c02-0b56-412e-bf02-dfd27ce84580 | sec_group | egress | IPv4 | 1-65535/udp | any |
| d7e0aee8-eee4-4ca1-b67e-ec4864a71492 | default | ingress | IPv4 | any | default (group) |
| df6504e5-0adb-411a-9313-4bad7074c42e | default | ingress | IPv6 | any | default (group) |
| e0ef6e04-575b-43ed-8179-c221d1e4f962 | default | egress | IPv4 | any | any |
| e828f2ef-518f-4c67-a328-6dafc16431b9 | sec_group | ingress | IPv4 | 1-65535/tcp | any |
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+

Kilo+rhel7.1
python-neutron-2015.1.0-1.el7ost.noarch
openstack-neutron-openvswitch-2015.1.0-1.el7ost.noarch
python-neutronclient-2.4.0-1.el7ost.noarch
openstack-neutron-2015.1.0-1.el7ost.noarch
openstack-neutron-ml2-2015.1.0-1.el7ost.noarch
openstack-neutron-lbaas-2015.1.0-3.el7ost.noarch
openstack-neutron-fwaas-2015.1.0-3.el7ost.noarch
openstack-neutron-common-2015.1.0-1.el7ost.noarch
python-neutron-lbaas-2015.1.0-3.el7ost.noarch
python-neutron-fwaas-2015.1.0-3.el7ost.noarch

openstack-nova-common-2015.1.0-4.el7ost.noarch
openstack-nova-cert-2015.1.0-4.el7ost.noarch
openstack-nova-compute-2015.1.0-4.el7ost.noarch
openstack-nova-console-2015.1.0-4.el7ost.noarch
python-nova-2015.1.0-4.el7ost.noarch
openstack-nova-scheduler-2015.1.0-4.el7ost.noarch
python-novaclient-2.23.0-1.el7ost.noarch
openstack-nova-api-2015.1.0-4.el7ost.noarch
openstack-nova-novncproxy-2015.1.0-4.el7ost.noarch
openstack-nova-conductor-2015.1.0-4.el7ost.noarch

Revision history for this message
Alex Stafeyev (astafeye) wrote :

In Gui in order to see secgroups we go through COMPUTE-> Security groups so The cli version on this should give the same output as Gui

description: updated
Revision history for this message
Markus Zoeller (markus_z) (mzoeller) wrote :

Reproduces with devstack:

Devstack commit: 84acb7a3a9af63e35ecc043d1426f568904ac22c
Nova commit: 7ddf7aab4edb09fab6e5b8f49461f7dbaa4da4a2

local.conf: http://paste.openstack.org/show/281460/
terminal session: http://showterm.io/18f66845ec3a97e5bacb8

Changed in nova:
status: New → Confirmed
Revision history for this message
melanie witt (melwitt) wrote :

I'm guessing this isn't a novaclient issue because usually if novaclient shows an empty table, it means nova responded with an empty data. One way to check is do 'nova --debug nova secgroup-list-rules GROUPID" and see if any data is coming back from nova in the response. If there is nothing in the response, is there any error in n-api.log?

Revision history for this message
Liyingjun (liyingjun) wrote :

Nova only supported ingress rule, so all egress rules will not be shown through nova API, actually it's excluded here [1], output of nova --debug secgroup-list-rules <SECGROUP_ID>:
...
RESP BODY: {"security_group": {"rules": [{"from_port": null, "group": {"tenant_id": "11ddf880084d4ac4a5c9b5670e71f07a", "name": "default"}, "ip_protocol": null, "to_port": null, "parent_group_id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "ip_range": {}, "id": "060a7978-0eb7-4813-8293-7d38d6a03e6c"}, {"from_port": null, "group": {"tenant_id": "11ddf880084d4ac4a5c9b5670e71f07a", "name": "default"}, "ip_protocol": null, "to_port": null, "parent_group_id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "ip_range": {}, "id": "4c4f94e4-8bf1-4ae1-acae-e0701de681e1"}, {"from_port": 22, "group": {}, "ip_protocol": "tcp", "to_port": 22, "parent_group_id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "ip_range": {"cidr": "0.0.0.0/0"}, "id": "7818519f-7873-4236-aac2-980663954d6e"}], "tenant_id": "11ddf880084d4ac4a5c9b5670e71f07a", "id": "8b3da216-cd48-4e90-8c8a-358d3ec65896", "name": "default", "description": "Default security group"}}
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| | | | | default |
| | | | | default |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+

[1]: https://github.com/openstack/nova/blob/master/nova/network/security_group/neutron_driver.py#L98

Changed in nova:
assignee: nobody → lyanchih (lyanchih)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/203022

Changed in nova:
status: Confirmed → In Progress
Changed in nova:
importance: Undecided → Medium
melanie witt (melwitt)
no longer affects: python-novaclient
Changed in nova:
assignee: Chung Chih, Hung (lyanchih) → nobody
status: In Progress → Confirmed
Revision history for this message
Anusha Unnam (anusha-unnam) wrote :

Based on the comment from Jay Pipes, looks like the os-security-groups API extension has been deprecated and removed from Nova as of the 2.36 microversion.
So can we mark this bug as Invalid?

Changed in nova:
status: Confirmed → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Michael Still (<email address hidden>) on branch: master
Review: https://review.openstack.org/203022
Reason: This patch has been sitting unchanged for more than 12 weeks. I am therefore going to abandon it to keep the nova review queue sane. Please feel free to restore the change if you're still working on it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.